After an intense competition held in Toronto, Canada from October 24 to 27, Viettel’s VCS team emerged as the champion of Pwn2Own 2023. The team secured an impressive total score of 30 points, earning them the prestigious title of “Master of Pwn.” They outperformed their competitors by a significant margin of 12.75 points.
The total score was calculated based on successful participation and the points assigned to them in the competition’s category tables.
What makes VCS’ victory even more remarkable is the fact that the team is comprised of young achievers. The team consists of 14 members who dedicated three months of relentless effort, working day and night, to prepare for and compete against rivals from around the world.
One of the team’s standout members is Do Anh Dung, a third-year student from the University of Engineering and Technology under the Vietnam National University-Hanoi, born in 2003. Despite their young age, all 14 members of VCS possess considerable experience in cybersecurity, which they have developed over the years through their dedicated work.
Even the youngest member, Dung, made a noteworthy contribution by securing a victory in one of the competition categories, contributing to the team’s overall success.
VCS emerged victorious on the evening of October 27, surpassing formidable opponents such as Sea Security from Singapore, Vupen and Synacktiv from France, and last year’s winners Devcore from Taiwan.
According to Ha Anh Hoang, a member of the VCS team, they were only given information about the devices they had to compromise three months before the opening day of the contest. This meant they had a tight preparation schedule, which included purchasing new devices, exploring their hardware and software, and waiting for some tools ordered from abroad, which took up to a month to arrive.
Nguyen Xuan Hoang, another team member, acknowledged the presence of veteran contestants with experience and capabilities in other rival teams. However, as a cohesive team, VCS was determined to participate with optimal groundwork, committed to competing in a united and strategic manner to achieve the highest results in this year’s competition.
VCS’ victory was the result of months of diligent preparation. Last year, they secured the second prize with a narrow margin of 2.5 points below the winners. This year, they aimed for the championship, fully aware of the challenges posed by the targets set by contest organizers, which included software and devices developed by global industry leaders such as Microsoft, Apple, Google, Samsung, and more.
Throughout the preparation phase, VCS faced various challenges. Adhering to contest rules, they ordered devices from the U.S., but a momentary lapse resulted in the inadvertent damage of a tool meant for a 110V power source, mistakenly plugged into a 220V outlet.
Furthermore, there was the concern of overlapping targets with other teams or manufacturers promptly fixing vulnerabilities registered by the VCS team. Additionally, delays in visa processing prevented VCS from attending the event in person in Toronto. Despite these obstacles, the 14-member team competed online, overcoming potential technical issues during the process.
Against all odds, the team not only secured the championship but also achieved an impressive victory. When they received the highest mark of 10 points in the last section of the contest, their elation was palpable. The convincing win left no room for doubt and delighted everyone involved.
Official results, as announced on the Zero Day Initiative site, congratulated Team Viettel on winning the Master of Pwn title, along with a cash prize of US$180,000 and 30 points. The second prize of $116,250 went to Team Orca (Sea Security) with 17.25 points, and the third award was shared by DEVCORE Intern and Interrupt Labs, each receiving $50,000 and 10 points.
In total, the contestants at Pwn2Own Toronto 2023 secured over $1 million with 58 unique zero-day exploits, including multiple instances of bug collisions. These exploits will be shared with the respective vendors, who now have a 90-day window to develop and release patches.
